[arch-dev-public] [RFC] Moving repos to nymeria

[Xyne]

Gaetan Bisson wrote:

>[2012-09-16 16:03:19 +0000] Xyne:
>> By "check it" I mean check that each signature in the database is authentic and
>> trusted, and that every package in the database is signed.
>
>Signing the DB serves a completely different purpose to all the
>signatures on its packages.

I see now that what I proposed would not ensure the integrity of package
metadata such as dependencies.

What about individually signing the metadata of each package in the database
when a package is added? The packaging procedure would then be:

1) build and sign package locally
2) generate and sign "depends", "desc", etc. files locally
3) upload package and signatures to server
4) add package and signatures to (locked) database on server
5) download database
6) check metadata signatures
7) sign database and upload signature


Cons:
* redundant generation of metadata files
* more data in database

Pros:
* database integrity can be checked without having to rebuild it locally

To clarify, with a chain of trust you need a trusted starting point. That means
that someone has to verify all of the package signatures and then locally
rebuild the database from scratch. If there is ever a doubt that the chain has
been broken (due to malice, carelessness in updates, whatever) then that needs
to be repeated. Signing per-package metadata should avoid that.


The metadata signatures could be kept out of the database if space is an issue,
but each packager would need to download them to check the database in that
case.

If they are kept in the database then signing the database file itself may be
unnecessary. Pacman could verify the integrity of the metadata for each package
when it downloads the database.